not vulnerable to Heartbleed? not so fast…

Oh, come on, already!

Think your sites are safe from Heartbleed related sploits?  Not so fast, sunshine…

According to one pen tester, many of the tools which purport to detect servers vulnerable to the Heartbleed bug are buggy themselves, leading to false negative results, and in turn, a false sense of security allowing vulnerable sites to stay vulnerable.  According to his testing, Qualys SSL Labs site is the most accurate “big name” source for checking your servers.   He has also released a script called Cardiac Arrest, which he claims is more accurate than other Heartbleed tests.  If you have already “cleared” your sites using the tools released right after the bug was announced, you might want to double check your results using one of these tools just to be sure.

It also turns out that certificate authorities are not the only ones profiting from Heartbleed.  Because many, many organizations are busily revoking potentially compromised digital certificates, the certificate revocation lists (CRLs) which browsers download in order to avoid trusting these out of date certs have been ballooning in size, from just a few kilobytes to megabytes.  These CRLs get downloaded from the CAs millions of times a day, leading to additional bandwidth charges from their ISPs.  So now we have two sections of the Internet economy benefiting from Heartbleed.

Finally, the Canadians have arrested a teenaged hacker in connection with an attack on the Canadian Revenue Authority’s e-filing website which resulted in around 900 taxpayers’ personal information being disclosed.

not vulnerable to Heartbleed? not so fast…

Leave a Reply